Like any major undertaking - learning to drive a car, baking a cheesecake, or building a shed – you need to start with knowing the exact process of what you are trying to do. To properly operate a car, you need to know where the turn signals, gear shifter, lights, and gas pedal are located.
As analysts, we have a job to find hidden connections within our data. Hidden links that allow us to identify networks and help investigations. But finding these hidden connections is not always easy.
i2 Analyst’s Notebook (ANB) is a powerful tool that allows us to dig deeper into our data and find hidden connections. If used properly, i2 can help you identify, analyze, and exploit these connections. But, like a car, i2 ANB can be complex, and the basics are important.
This post is a quick tutorial on the basics of i2 Analyst’s Notebook. It is meant for a new or inexperienced i2 user.
In this i2 Analyst’s Notebook tutorial, we are focusing on the essential components of ANB. These posts can help you figure out what type of Analyst’s Notebook training is right for you.
We assume you already have i2, but if you don’t have i2 yet, I recommend that you contact IBM directly.
About this i2 Analyst’s Notebook Tutorial
In this i2 Analyst’s Notebook Tutorial, we are going to cover the basics – including what analysts use i2, the essential components of ANB, introduce you to charts, and the basic ANB search capabilities. Here is a list of the main components of i2 that we are going to try and cover.
About ANB
ANB in Action
ANB Users
Entities
Links
Attributes
Link Charts
Timeline Charts
Search
Throughout this post, we also have links to various ANB tips. New tips will be added routinely, so sign up for our mailing list to stay on top of this ANB Tradecraft.
About i2 ANB
The first thing in this i2 Analysts Notebook tutorial is to define exactly what it (ANB) is. IBM i2 ANB is a visual analysis tool that can help you turn data into intelligence. It provides innovative features such as connected network visualizations, social network analysis, and geospatial or temporal assessment tools. This insight can help you better identify and disrupt criminal, cyber, and fraudulent threats.
i2 is like an onion. The more you know about it, the more capabilities and tools you uncover, the more you can do with it.
Before using i2, I need to emphasize the importance of knowing your data. We have all heard of the term “garbage in, garbage out.” If you don’t have good data, i2 can’t do much for you. If you have good data, but don’t understand it, i2 can’t do much for you. It is through knowing your data that you can become an i2 Ninja.
i2 in Action: Our i2 Analyst’s Notebook Tutorial “War Story”
What does i2 ANB look like in action? Take a look at our companion post to this i2 Analyst’s Notebook tutorial titled “i2 in Action". This series of case studies about a fictional human trafficking investigation will be used to show you what i2 ANB looks like in action.
Analysts That Can Use i2
i2 is a tool that can be used by countless different analysts and investigators for a wide variety of investigations. Why? Because it uses the data that is loaded into it and the connections in that data. It can be used by anyone with data (and skills). Here is a quick list of potential users of both this i2 Analyst’s Notebook tutorial and i2 itself.
Criminal Intelligence Analysts
Law Enforcement Officers
Business Intelligence Analysts
Investigators
Retail Intelligence Analysts
Financial Intelligence Analysts
Criminal Intelligence Analysts
Military Intelligence Analysts
Insurance Fraud Analysts
Any analyst that has a job of investigating the connections between people, places, events, and things in large sets of data can benefit from i2.
The Components of i2
The three primary components of i2 are entities, links, and attributes. Our Dashboard is depicted in Figure 1.
It’s blank now, but don’t’ worry. It can get filled up pretty quickly.
A recurring term that we will use is ‘pallete’. Palletes are the different sections on the right of your Dashboard (Entity, Links, Attributes). This entire 3 pallete section is called the Task Pane.
Now, let’s get back our i2 components – entities, links, attributes. We will dig into each of these more deeply below.
Entities
Each entity has a representation to determine how it is displayed on the chart surface and a type to categorize it.
One easy entity to understand is a person. A person is often represented by a simple icon, as is displayed in Figure 2.
There are more than 600 types of entities (people, phones, credit cards, buildings, etc.) There are seven different representations (icons, boxes, theme lines, etc.). It is pretty easy to search for entities by name using the entity search tool.
Working with Entities
Here are a couple of essential things to think about when working with entities. These help you not have to do everything manually.
i2 has 600 default entity types. You can use the Search Entities tool to search the different entities by name and to keep you have from having to switch to a different sub-palette. For example, if you are looking for a bullet, you can search for that.
Sometimes we can get duplicate Entities on a chart. When this happens you can merge multiple entities into a single entity.
We might need to cluster entities together so that they can be moved as a single unit. Check out our i2 ANB how-to post "Grouping Entities in i2 ANB".
You can add the same value to multiple entities, for example, if you needed to add US citizenship to a group of 200 people, it is easier to do them all at once instead of individually.
Links
Links show the connections, such as activity or relationship between entities.
Take a look at how links are used in Figure 3.
In this chart, the arrows describe the direction of the transaction between the accounts.
When working with links, you can:
List all the entities linked to a selected entity. This can help you see connections in your data.
Adjust the labels and spacing between links to make them easier to view. Sometimes they overlap and it can be hard to look at.
Display the date and time on links after importing your data. Date and time information is not displayed by default.
...and much more.
Attributes
Attributes are pieces of information (metadata) associated with an entity. The more attributes you have, the more granular your data becomes for analyzing.
Relevant attributes will depend on the nature of the entity itself. For example, attributes of a person (such as a suspect) could include address, phone number, or employer. While attributes of a location (such as a bank) could be the address, x, and y coordinate (for mapping), type of building, or the owner.
An attribute is represented by class, type, and value. Take a look at Figure 4. The car is our entity and the make, model, year, and color of the car are attributes.
You can store specific pieces of information on chart items as attributes. Attributes are often displayed as part of the entity on a chart surface for presentation purposes and are also very useful during analysis.
While attributes are useful for analytical purposes, they can get cumbersome when trying to visualize. When displaying attributes on a chart, you can hide them through the “edit chart properties” feature.
Types of Charts
Charts are the sandbox where we combine and visualize our entities, links, and attributes. Charts can hold a lot of data (up to approx. 1GB). There are two types of charts – Relational Analysis (Link Charts) and Temporal Analysis (Timelines).
Link Charts: Link charts show us the connections between the entities. Link charts can be simple or complex, check this one out in Figure 5.
That’s right, this is a link chart. But it is too much for us to really work with for our purposes. Let’s go back to Figure 3 from earlier.
Figure 4 is showing the links between various phone numbers associated with an investigation and the arrows show the direction of those calls.
One thing we might want to do in our chart is to add a label. Labels allow us to help identify charts later. You can also add signature blocks as well.
Timeline Charts: also called a themeline or temporal analysis chart.
A timeline chart allows us to display events associated with an entity in the sequence in which they occurred. For example, they could be used to display the order of cash deposits by a specific entity.
An example timeline chart is displayed in Figure 7. Figure 7 depicts those same calls from our link chart, but in a timeline.
Working with Charts
When most of us are analyzing data, we can construct multiple charts with different data, searches, and entities. Thankfully, i2 lets us view multiple charts simultaneously.
To learn how, take a look at our how-to companion post "Viewing Multiple Charts in i2 ANB."
We can also add images (.jpeg, .bmp, .png) to a chart. This is useful, especially when we want to personalize entities on our chart for a presentation.
Basic Search & Analysis Tools
Before we start, let me give you a quick tip. We all have different routine analyses that we conduct; I do and you will. You can add frequently used tools from the various tabs to your Quick Access Tool Bar.
Search is one of the key tools of i2 ANB. There are many different types of searches that we can use. There are three that we are going to focus on in this blog.
Search for specific words and phrases in a chart. It is not case sensitive, and it looks for words and phrases in our data.
List items provides us a tabular view of entities and relationships in a chart. With listed items, we can sort by ascending and descending order and move columns around.
List all the entities that are linked to a selected entity.
There are a variety of other analytical tools relevant to the more advanced user, these include the “Find Text” search tool, the visual search tool, and social network analysis. You can learn more about these tools and techniques in our instructor-led training courses.
A Need for Training
i2 can be intimidating without proper training. It is tough to pick up a manual (if you can find one) and learn to use it. We recommend that you get some form of instructor-led training.
An experienced i2 instructor can help you understand how to quickly and easily identify hidden connections in your data. Don’t hesitate to contact us if you would like to discuss which i2 ANB training is right for you.
A Few Final Takeaways
In this i2 Analyst’s Notebook Tutorial, we showed you some of the basics. It is probably a lot to take in all at once, that’s ok. You can’t become an i2 Ninja overnight. But, by learning the parts of i2 this gives you a solid foundation.
If you haven’t already signed up, add your name to our mailing list. This will give you access to i2 Tips, Tips, and Tradecraft and help you learn about I2 techniques for the new and advanced user.